[CentOS] pam_succeed_if

Fri Jun 10 09:43:37 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Fri, 10 Jun 2011, John Doe wrote:

> From: Daniel De Marco <ddm at bartol.udel.edu>
>
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite    pam_succeed_if.so uid >= 500 quiet
>> auth        required      pam_deny.so
>> What's the use of the pam_succeed_if line? It will only be reached if
>> the pam_unix doesn't succeed and from my understanding it will prevent
>> system accounts from logging in. Is it useless or am I missing
>> something?
>
> Pure speculation:
> 1. pam_unix just allows/disallows to go further in the checks.
> 2. succeed_if only let users accounts login
> 3. everything else, deny.

Isn't it redundant as is, but makes a whole lot more sense once you have a
network login in there.

If you succeed on pam_unix, you're done.  So a local account doesn't need
further checks.  The next check ensures that a non-local source (say NIS/LDAP)
doesn't allow logins to system accounts (UID<500).  Since you've got none, it
makes no difference, since you either fail on that line, or you fail on the
pam_deny.

Just imagine an ldap lookup after the pam_succeed_if line.  It's presumably
left in because it makes authconfig's life easier, and doesn't really matter
anyway.

jh